IETF Logo Mail Archive

Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protocol-05

Rob Austein <sra@hactrn.net> Fri, 28 September 2012 14:17 UTC

Return-Path: <sra@hactrn.net>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5069E21F8630 for <sidr@ietfa.amsl.com>; Fri, 28 Sep 2012 07:17:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.67
X-Spam-Level:
X-Spam-Status: No, score=-99.67 tagged_above=-999 required=5 tests=[AWL=-2.929, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_NET=0.611, HOST_EQ_NL=1.545, HOST_EQ_STATIC=1.172, RCVD_IN_SORBS_DUL=0.877, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fMjSAYm2lU-c for <sidr@ietfa.amsl.com>; Fri, 28 Sep 2012 07:17:22 -0700 (PDT)
Received: from cyteen.hactrn.net (cyteen.hactrn.net [IPv6:2002:425c:4242:0:210:5aff:fe86:1f54]) by ietfa.amsl.com (Postfix) with ESMTP id 72A7621F8622 for <sidr@ietf.org>; Fri, 28 Sep 2012 07:17:22 -0700 (PDT)
Received: from minas-ithil.hactrn.net (095-097-128-052.static.chello.nl [95.97.128.52]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id BF7559B429 for <sidr@ietf.org>; Fri, 28 Sep 2012 14:17:20 +0000 (UTC)
Received: from minas-ithil.hactrn.net (localhost [127.0.0.1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id 662857DD08D for <sidr@ietf.org>; Fri, 28 Sep 2012 16:17:19 +0200 (CEST)
Date: Fri, 28 Sep 2012 16:17:19 +0200
From: Rob Austein <sra@hactrn.net>
To: sidr <sidr@ietf.org>
In-Reply-To: <5065ABF9.6050303@bbn.com>
References: <24B20D14B2CD29478C8D5D6E9CBB29F625F706AF@CMA-MB003.columbia.ads.sparta.com> <20120927165848.2BECA7DC673@minas-ithil.hactrn.net> <5065ABF9.6050303@bbn.com>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20120928141719.662857DD08D@minas-ithil.hactrn.net>
Subject: Re: [sidr] WGLC for draft-ietf-sidr-bgpsec-protocol-05
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2012 14:17:23 -0000

At Fri, 28 Sep 2012 09:54:01 -0400, Stephen Kent wrote:
> 
> >>   4.1.  Originating a New BGPSEC Update
> > ...
> >>      In particular, this AS number MUST match the AS number in
> >>      the AS number resource extension field of the Resource PKI end-entity
> >>      certificate(s) that will be used to verify the digital signature(s)
> >>      constructed by this BGPSEC speaker.
> > "The" or "an"?   Is it legal for the EE certificate to cover more RFC
> > 3779 resources than just a single ASN?
> yes, an EE cert can contain multiple ASNs, if they were allocated to the
> cert holder by the same parent.

I know that RFC 3779 allows multiple ASNs, having implemented it. :)

What I'm asking is whether it was Matt's intent to restrict BGPSEC to
requiring that only a single ASN be certified in the relevant EE
certificate.  I do not recall any such restriction during earlier
discussions of this protocol, which is why I flagged it.

> >>   6.1.  Algorithm Suite Considerations
> > ...
> >>      To this end, a mandatory algorithm suites document will be created
> >>      which specifies a mandatory-to-use 'current' algorithm suite for use
> >>      by all BGPSEC speakers [12].  Additionally, the document specifies an
> >>      additional 'new' algorithm suite that is recommended to implement.
> > Badly phrased, unless the real intent here is to say that we're going
> > to pick both the current and next algorithms right off the bat, which
> > seems unlikely to me.   I think it would be more correct to say that
> > we will specify an initial mandatory algorithm suite, and, once we
> > have some idea of what the next algorithm should be, we will publish
> > a series of updated documents phasing in the new one and (eventually,
> > years later) phasing out the old one.
> that would be consistent with the alg migration strategy described in
> draft-ietf-sidr-algorithm-agility-07

I assume (please correct if wrong) that your comment refers to my
suggested rephrasing being consistent with the algorithm migration
strategy.

v2.23.0 | Report a Bug | By Email